---
#######
# BEGIN: Ansible roles_path variables
#
#   Background/reference about external repos pulled in:
#       https://pagure.io/fedora-infrastructure/issue/5476
#
# IPA settings
additional_host_keytabs: []
ansible_base: /srv/web/infra
# Default to managing the network, we want to not do this on select
# hosts (like cloud nodes)
# List of interfaces to explicitly disable
ansible_ifcfg_disabled: []
# on MOST infra systems, the interface connected to the infra network
# is eth0. but not on quite ALL systems. e.g. on s390 boxes it's enc900,
# on openqa-ppc64le-01.qa it's eth2 for some reason, and on qa01.qa and
# qa02.qa it's em3. currently this only affects whether GATEWAY, DOMAIN
# and DNS1/DNS2 lines are put into ifcfg-(device).
ansible_ifcfg_infra_net_devices: ['eth0', 'enc900']
#
# Autodetect python version
#
ansible_python_interpreter: auto
# Set variable if we want to use our global iptables defaults
# Some things need to set their own.
baseiptables: True
# by default set become to false here We can override it as needed.
# Note that if become is true, you need to unset requiretty for
# ssh controlpersist to work.
become: false
br0_nm: 255.255.255.0
br1_nm: 255.255.255.0
# assume collectd apache
collectd_apache: true
# true or false if we are or are not a copr build virthost.
# Default to false
copr_build_virthost: false
# assume createrepo is true and this builder has the koji nfs mount to do that
createrepo: True
csi_primary_contact: Fedora Admins - admin@fedoraproject.org
csi_purpose: Unspecified
csi_relationship: |
  Unspecified.
  * What hosts/services does this rely on?
  * What hosts/services rely on this?

  To update this text, add the csi_* vars to group_vars/ in ansible.
# This vars get shoved into /etc/system_identification by the base role.
# Groups and individual hosts should override them with specific info.
# See http://infrastructure.fedoraproject.org/csi/security-policy/
csi_security_category: Unspecified
custom6_rules: []
custom_rules: []
# most of our systems are in IAD2
datacenter: iad2
# These are used to:
#  1) configure mod_wsgi
#  2) open iptables rules for fedmsg (per wsgi thread)
#  3) declare enough fedmsg endpoints for the service
#wsgi_fedmsg_service:  bodhi
#wsgi_procs: 4
#wsgi_threads: 4

# By default, nodes don't backup any dbs on them unless they declare it.
dbs_to_backup: []
dns: "10.3.163.33"
dns1: "10.3.163.33"
dns2: "10.3.163.34"
dns_search1: "iad2.fedoraproject.org"
dns_search2: "fedoraproject.org"
# env is staging or production, we default it to production here.
env: production
env_prefix: ""
env_short: prod
env_suffix: ""
# Default netmask. All of our iad2 nets are /24's. Almost all of our
# non-iad2 sites are less than a /24.
eth0_ipv4_nm: 24
eth1_ip: 10.0.0.10
eth1_nm: 255.255.255.0
# By default, fedmsg hosts are in passive mode.  External hosts are typically
# active.
fedmsg_active: False
# By default, nodes get no fedmsg certs.  They need to declare them explicitly.
fedmsg_certs: []
# A special flag that, when set to true, will disconnect the host from the
# global fedmsg-relay instance and set it up with its own local one.  You can
# temporarily set this to true for a specific host to do some debugging -- so
# you can *replay real messages from the datagrepper history without having
# those broadcast to the rest of the bus*.
fedmsg_debug_loopback: False
fedmsg_env: prod
# By default, fedmsg sends error logs to sysadmin-datanommer-members@fp.o.
fedmsg_error_recipients:
  - sysadmin-datanommer-members@fedoraproject.org
# By default, fedmsg should not log debug info.  Groups can override this.
fedmsg_loglevel: INFO
# Amount of time to wait for connections after a socket is first established.
fedmsg_post_init_sleep: 1.0
# Other defaults for fedmsg environments
fedmsg_prefix: org.fedoraproject
# Everywhere, always, we should sign messages and validate signatures.
# However, we allow individual hosts and groups to override this.  Use this very
# carefully.. and never in production (good for testing stuff in staging).
fedmsg_sign_messages: True
fedmsg_validate_signatures: True
#
# END: Ansible roles_path variables
#######
freezes: true
# defaults for hw installs
install_noc: none
ipa_admin_password: "{{ ipa_prod_admin_password }}"
ipa_realm: FEDORAPROJECT.ORG
ipa_server: ipa01.iad2.fedoraproject.org
ipa_server_nodes:
  - ipa01.iad2.fedoraproject.org
  - ipa02.iad2.fedoraproject.org
  #- ipa03.iad2.fedoraproject.org
ks_repo: http://infrastructure.fedoraproject.org/repo/rhel/RHEL7-x86_64/
# defaults for virt installs
ks_url: http://infrastructure.fedoraproject.org/repo/rhel/ks/kvm-rhel-7
# most of our systems are 64bit.
# Used to install various nagios scripts and the like.
libdir: /usr/lib64
lvm_size: 20000
mac_address: RANDOM
mac_address1: RANDOM
main_bridge: br0
max_cpu: "{{ num_cpus * 5 }}"
max_mem_size: "{{ mem_size * 5 }}"
mem_size: 4096
nagios_Can_Connect: true
# Nagios global variables
nagios_Check_Services:
  dhcpd: false
  httpd: false
  mail: true
  named: false
  nrpe: true
  ping: true
  raid: false
  sshd: true
  swap: true
nat_rules: []
# default network block device encryption settings for linux-system-roles/nbde_client
nbde: true
nbde_client_bindings:
  - device: /dev/md2
    encryption_password: "{{ nbde_password }}"
    password_temporary: no
    threshold: 1
    servers:
      - http://tang01.iad2.fedoraproject.org
      - http://tang02.iad2.fedoraproject.org
# usually we do not want to enable nested virt, only on some virthosts
nested: false
network_connections:
  - autoconnect: yes
    ip:
      address:
        - "{{ eth0_ipv4_ip }}/{{ eth0_ipv4_nm }}"
      dhcp4: no
      dns:
        - "{{ dns1 }}"
        - "{{ dns2 }}"
      dns_search:
        - "{{ dns_search1 }}"
        - "{{ dns_search2 }}"
      gateway4: "{{ eth0_ipv4_gw }}"
    mac: "{{ ansible_default_ipv4.macaddress }}"
    name: eth0
    type: ethernet
nfs_bridge: br1
# nfs mount options, override at the group/host level
nfs_mount_opts: "ro,hard,bg,intr,noatime,nodev,nosuid,nfsvers=3"
nm: 255.255.255.0
# Most of our machines have manual resolv.conf files
# These settings are for machines where NM is supposed to control resolv.conf.
nrpe_check_postfix_queue_crit: 5
# by default, the number of emails in queue before we whine
nrpe_check_postfix_queue_warn: 2
nrpe_procs_crit: 300
# by default the number of procs we allow before we whine
nrpe_procs_warn: 250
num_cpus: 2
# ocp4 is default now in some proxy roles
ocp4: true
# All the ocp production workers.
# This is used by the openvpn openshift app to make sure there's a vpn pod on each node.
ocp_nodes:
  - worker01.ocp.iad2.fedoraproject.org
  - worker02.ocp.iad2.fedoraproject.org
  - worker03.ocp.iad2.fedoraproject.org
  - worker04.ocp.iad2.fedoraproject.org
  - worker05.ocp.iad2.fedoraproject.org
  - worker06.ocp.iad2.fedoraproject.org
ocp_wildcard_cert_file: wildcard-2022.apps.ocp.fedoraproject.org.cert
# This is the openshift wildcard cert for ocp
ocp_wildcard_cert_name: wildcard-2022.apps.ocp.fedoraproject.org
ocp_wildcard_int_file: wildcard-2022.apps.ocp.fedoraproject.org.intermediate.cert
ocp_wildcard_key_file: wildcard-2022.apps.ocp.fedoraproject.org.key
# Path to the openshift-ansible checkout as external git repo brought into
# Fedora Infra
openshift_ansible: /srv/web/infra/openshift-ansible/
# This is the openshift wildcard cert. Until it exists set it equal to wildcard
os_wildcard_cert_name: wildcard-2022.app.os.fedoraproject.org
os_wildcard_crt_file: wildcard-2022.app.os.fedoraproject.org.cert
os_wildcard_int_file: wildcard-2022.app.os.fedoraproject.org.intermediate.cert
os_wildcard_key_file: wildcard-2022.app.os.fedoraproject.org.key
postfix_group: "none"
# This is a list of services that need to wait for VPN to be up before getting started.
postvpnservices: []
preferred_dc: iad2
primary_auth_source: ipa
#
# Set a redirectmatch variable we can use to disable some redirectmatches
# like the prerelease to final ones.
#
redirectmatch_enabled: True
# default the root_auth_users to nothing.
# This should be set for cloud instances in their host or group vars.
root_auth_users: ''
# List of names under which the host is available
ssh_hostnames: []
# This enables/disables the SSH "keyhelper" used by Pagure for verifying users'
# SSH keys from the Pagure database
sshd_keyhelper: false
# Normal default sshd port is 22
sshd_port: 22
tcp_ports: []
# example of ports for default iptables
# tcp_ports: [ 22, 80, 443 ]
# udp_ports: [ 110, 1024, 2049 ]
# multiple lines can be handled as below
# custom_rules: [ '-A INPUT -p tcp -m tcp --dport 8888 -j ACCEPT',
#                  '-A INPUT -p tcp -m tcp --dport 8889 -j ACCEPT' ]
# We default these to empty
udp_ports: []
# Most EL systems need default EPEL repos.
# Some systems (notably fed-cloud*) need to get their own
# EPEL files because EPEL overrides packages in their core repos.
use_default_epel: true
#
# The default virt-install works for rhel7 or fedora with 1 nic
#
virt_install_command: "{{ virt_install_command_one_nic }}"
virt_install_command_aarch64_one_nic: virt-install -n {{ inventory_hostname }} --memory={{ mem_size }},maxmemory={{ max_mem_size }} --memballoon virtio --disk bus=virtio,path={{ volgroup }}/{{ inventory_hostname }} --vcpus={{ num_cpus }},maxvcpus={{ max_cpu }} -l {{ ks_repo }} -x 'net.ifnames=0 inst.ksdevice=eth0 inst.ks={{ ks_url }} hostname={{ inventory_hostname }} nameserver={{ dns }} ip={{ eth0_ipv4_ip }}::{{ eth0_ipv4_gw }}:{{ nm }}:{{ inventory_hostname }}:eth0:none' --network bridge={{ main_bridge }},model=virtio,mac={{ mac_address }} --autostart --noautoconsole
virt_install_command_aarch64_one_nic_unsafe: virt-install -n {{ inventory_hostname }} --memory={{ mem_size }},maxmemory={{ max_mem_size }} --memballoon virtio --disk bus=virtio,path={{ volgroup }}/{{ inventory_hostname }},cache=unsafe,io=threads,discard=unmap --vcpus={{ num_cpus }},maxvcpus={{ max_cpu }} -l {{ ks_repo }} -x 'net.ifnames=0 inst.ksdevice=eth0 inst.ks={{ ks_url }} hostname={{ inventory_hostname }} nameserver={{ dns }} ip={{ eth0_ipv4_ip }}::{{ eth0_ipv4_gw }}:{{ nm }}:{{ inventory_hostname }}:eth0:none' --network bridge={{ main_bridge }},model=virtio,mac={{ mac_address }} --autostart --noautoconsole
virt_install_command_aarch64_two_nic: virt-install -n {{ inventory_hostname }} --memory={{ mem_size }},maxmemory={{ max_mem_size }} --memballoon virtio --disk bus=virtio,path={{ volgroup }}/{{ inventory_hostname }} --vcpus={{ num_cpus }},maxvcpus={{ max_cpu }} -l {{ ks_repo }} -x 'net.ifnames=0 inst.ksdevice=eth0 inst.ks={{ ks_url }} hostname={{ inventory_hostname }} nameserver={{ dns }} ip={{ eth0_ipv4_ip }}::{{ eth0_ipv4_gw }}:{{ nm }}:{{ inventory_hostname }}:eth0:none ip={{ eth1_ip }}:::{{ nm }}:{{ inventory_hostname_short }}-nfs:eth1:none' --network bridge={{ main_bridge }},model=virtio,mac={{ mac_address }} --network=bridge={{ nfs_bridge }},model=virtio,mac={{ mac_address1 }} --autostart --noautoconsole --rng /dev/random
virt_install_command_armv7_one_nic: virt-install -n {{ inventory_hostname }} --arch armv7l --memory={{ mem_size }},maxmemory={{ max_mem_size }} --memballoon virtio --disk bus=virtio,path={{ volgroup }}/{{ inventory_hostname }} --vcpus={{ num_cpus }},maxvcpus={{ max_cpu }} -l {{ ks_repo }} -x 'net.ifnames=0 inst.ksdevice=eth0 inst.ks={{ ks_url }} console=tty0 console=ttyAMA0 hostname={{ inventory_hostname }} nameserver={{ dns }} ip={{ eth0_ipv4_ip }}::{{ eth0_ipv4_gw }}:{{ nm }}:{{ inventory_hostname }}:eth0:none' --network bridge={{ main_bridge }} --autostart --noautoconsole --rng /dev/random
virt_install_command_armv7_one_nic_unsafe: virt-install -n {{ inventory_hostname }} --arch armv7l --memory={{ mem_size }},maxmemory={{ max_mem_size }} --memballoon virtio --disk bus=virtio,path={{ volgroup }}/{{ inventory_hostname }},cache=unsafe,io=threads,discard=unmap --vcpus={{ num_cpus }},maxvcpus={{ max_cpu }} -l {{ ks_repo }} -x 'net.ifnames=0 inst.ksdevice=eth0 inst.ks={{ ks_url }} console=tty0 console=ttyAMA0 hostname={{ inventory_hostname }} nameserver={{ dns }} ip={{ eth0_ipv4_ip }}::{{ eth0_ipv4_gw }}:{{ eth0_ipv4_nm }}:{{ inventory_hostname }}:eth0:none' --network bridge={{ main_bridge }},model=virtio,mac={{ mac_address }} --autostart --noautoconsole --rng /dev/random
virt_install_command_one_nic: virt-install -n {{ inventory_hostname }} --memory={{ mem_size }},maxmemory={{ max_mem_size }} --memballoon virtio --disk bus=virtio,path={{ volgroup }}/{{ inventory_hostname }} --vcpus={{ num_cpus }},maxvcpus={{ max_cpu }} -l {{ ks_repo }} -x 'net.ifnames=0 inst.ksdevice=eth0 inst.ks={{ ks_url }} console=tty0 console=ttyS0 hostname={{ inventory_hostname }} nameserver={{ dns }} nameserver=8.8.8.8 ip={{ eth0_ipv4_ip }}::{{ eth0_ipv4_gw }}:{{ eth0_ipv4_nm }}:{{ inventory_hostname }}:eth0:none' --network bridge={{ main_bridge }},model=virtio,mac={{ mac_address }} --autostart --noautoconsole --watchdog default --rng /dev/random --cpu host
virt_install_command_one_nic_unsafe: virt-install -n {{ inventory_hostname }} --memory={{ mem_size }},maxmemory={{ max_mem_size }} --memballoon virtio --disk bus=virtio,path={{ volgroup }}/{{ inventory_hostname }},cache=unsafe,io=threads,discard=unmap --vcpus={{ num_cpus }},maxvcpus={{ max_cpu }} -l {{ ks_repo }} -x 'net.ifnames=0 inst.ksdevice=eth0 inst.ks={{ ks_url }} console=tty0 console=ttyS0 hostname={{ inventory_hostname }} nameserver={{ dns1 }} ip={{ eth0_ipv4_ip }}::{{ eth0_ipv4_gw }}:{{ eth0_ipv4_nm }}:{{ inventory_hostname }}:eth0:none' --network bridge={{ main_bridge }},model=virtio,mac={{ mac_address }} --autostart --noautoconsole --watchdog default --rng /dev/random --cpu host
virt_install_command_ppc64le_one_nic_unsafe: virt-install -n {{ inventory_hostname }} --memory={{ mem_size }},maxmemory={{ max_mem_size }} --memballoon virtio --disk bus=virtio,path={{ volgroup }}/{{ inventory_hostname }},cache=unsafe,io=threads,discard=unmap --vcpus={{ num_cpus }},maxvcpus={{ max_cpu }} -l {{ ks_repo }} -x 'net.ifnames=0 inst.ksdevice=eth0 inst.ks={{ ks_url }} console=tty0 console=ttyS0 hostname={{ inventory_hostname }} nameserver={{ dns }} ip={{ eth0_ipv4_ip }}::{{ eth0_ipv4_gw }}:{{ eth0_ipv4_nm }}:{{ inventory_hostname }}:eth0:none' --network bridge={{ main_bridge }},model=virtio,mac={{ mac_address }} --autostart --noautoconsole --watchdog default --rng /dev/random
virt_install_command_ppc64le_two_nic_unsafe: virt-install -n {{ inventory_hostname }} --memory={{ mem_size }},maxmemory={{ max_mem_size }} --memballoon virtio --disk bus=virtio,path={{ volgroup }}/{{ inventory_hostname }},cache=unsafe,io=threads,discard=unmap --vcpus={{ num_cpus }},maxvcpus={{ max_cpu }} -l {{ ks_repo }} -x 'net.ifnames=0 inst.ksdevice=eth0 inst.ks={{ ks_url }} console=tty0 console=ttyS0 hostname={{ inventory_hostname }} nameserver={{ dns }} ip={{ eth0_ipv4_ip }}::{{ eth0_ipv4_gw }}:{{ nm }}:{{ inventory_hostname }}:eth0:none ip={{ eth1_ip }}:::{{ nm }}:{{ inventory_hostname_short }}-nfs:eth1:none' --network bridge={{ main_bridge }},model=virtio,mac={{ mac_address }} --network=bridge={{ nfs_bridge }},model=virtio,mac={{ mac_address1 }} --autostart --noautoconsole --watchdog default --rng /dev/random
virt_install_command_pxe_rhcos: virt-install -n {{ inventory_hostname }} --vcpus {{ num_cpus }},maxvcpus={{ num_cpus }} --cpu host --memory  {{ mem_size }} --disk bus=virtio,path={{ volgroup }}/{{ inventory_hostname }} --nographics --network bridge={{ main_bridge }},model=virtio,mac={{ mac_address }} --hvm --accelerate --autostart --wait=-1 --extra-args "ip={{ eth0_ipv4_ip }}::{{ eth0_ipv4_gw }}:{{ nm }}:{{ inventory_hostname }}:ens2:none hostname={{ inventory_hostname }} nameserver={{ dns }} console=ttyS0 nomodeset rd.neednet=1 coreos.inst=yes coreos.inst.install_dev=vda coreos.live.rootfs_url={{ rhcos_install_rootfs_url }} coreos.inst.ignition_url={{ rhcos_ignition_file_url }}" --os-variant rhel7 --location  {{ rhcos_install_url }}
virt_install_command_rhel6: virt-install -n {{ inventory_hostname }} --memory={{ mem_size }},maxmemory={{ max_mem_size }} --disk bus=virtio,path={{ volgroup }}/{{ inventory_hostname }} --vcpus={{ num_cpus }},maxvcpus={{ max_cpu }} -l {{ ks_repo }} -x "inst.ksdevice=eth0 inst.ks={{ ks_url }} ip={{ eth0_ipv4_ip }} netmask={{ nm }} gateway={{ eth0_ipv4_gw }} dns={{ dns }} console=tty0 console=ttyS0 hostname={{ inventory_hostname }}" --network=bridge=br0 --autostart --noautoconsole --watchdog default
virt_install_command_s390x_one_nic: virt-install -n {{ inventory_hostname }} --memory={{ mem_size }},maxmemory={{ max_mem_size }} --memballoon virtio --disk bus=virtio,path={{ volgroup }}/{{ inventory_hostname }} --vcpus={{ num_cpus }},maxvcpus={{ max_cpu }} -l {{ ks_repo }} -x 'net.ifnames=0 inst.ksdevice=eth0 inst.ks={{ ks_url }} hostname={{ inventory_hostname }} nameserver={{ dns }} ip={{ eth0_ipv4_ip }}::{{ eth0_ipv4_gw }}:{{ nm }}:{{ inventory_hostname }}:eth0:none' --network bridge={{ main_bridge }},model=virtio,mac={{ mac_address }} --autostart --noautoconsole --rng /dev/random --cpu host
virt_install_command_s390x_one_nic_unsafe: virt-install -n {{ inventory_hostname }} --memory={{ mem_size }},maxmemory={{ max_mem_size }} --memballoon virtio --disk bus=virtio,path={{ volgroup }}/{{ inventory_hostname }},cache=unsafe,io=threads,discard=unmap --vcpus={{ num_cpus }},maxvcpus={{ max_cpu }} -l {{ ks_repo }} -x 'net.ifnames=0 inst.ksdevice=eth0 inst.ks={{ ks_url }} hostname={{ inventory_hostname }} nameserver={{ dns }} ip={{ eth0_ipv4_ip }}::{{ eth0_ipv4_gw }}:{{ nm }}:{{ inventory_hostname }}:eth0:none' --network bridge={{ main_bridge }},model=virtio,mac={{ mac_address }} --autostart --noautoconsole --rng /dev/random --cpu host
virt_install_command_two_nic: virt-install -n {{ inventory_hostname }} --memory={{ mem_size }},maxmemory={{ max_mem_size }} --memballoon virtio --disk bus=virtio,path={{ volgroup }}/{{ inventory_hostname }} --vcpus={{ num_cpus }},maxvcpus={{ max_cpu }} -l {{ ks_repo }} -x 'net.ifnames=0 inst.ksdevice=eth0 inst.ks={{ ks_url }} console=tty0 console=ttyS0 hostname={{ inventory_hostname }} nameserver={{ dns }} ip={{ eth0_ipv4_ip }}::{{ eth0_ipv4_gw }}:{{ nm }}:{{ inventory_hostname }}:eth0:none ip={{ eth1_ip }}:::{{ nm }}:{{ inventory_hostname_short }}-nfs:eth1:none' --network bridge={{ main_bridge }},model=virtio,mac={{ mac_address }} --network=bridge={{ nfs_bridge }},model=virtio,mac={{ mac_address1 }} --autostart --noautoconsole --watchdog default --rng /dev/random
virt_install_command_two_nic_unsafe: virt-install -n {{ inventory_hostname }} --memory={{ mem_size }},maxmemory={{ max_mem_size }} --memballoon virtio --disk bus=virtio,path={{ volgroup }}/{{ inventory_hostname }},cache=unsafe,io=threads,discard=unmap --vcpus={{ num_cpus }},maxvcpus={{ max_cpu }} -l {{ ks_repo }} -x 'net.ifnames=0 inst.ksdevice=eth0 inst.ks={{ ks_url }} console=tty0 console=ttyS0 hostname={{ inventory_hostname }} nameserver={{ dns }} ip={{ eth1_ip }}:::{{ nm }}:{{ inventory_hostname_short }}-nfs:eth1:none ip={{ eth0_ipv4_ip }}::{{ eth0_ipv4_gw }}:{{ nm }}:{{ inventory_hostname }}:eth0:none' --network bridge={{ main_bridge }},model=virtio,mac={{ mac_address }} --network bridge={{ nfs_bridge }},model=virtio,mac={{ mac_address1 }} --autostart --noautoconsole --watchdog default --rng /dev/random
# assume vpn is false
vpn: False
# This is the wildcard certname for our proxies.  It has a different name for
# the staging group and is used in the proxies.yml playbook.
wildcard_cert_name: wildcard-2022.fedoraproject.org
wildcard_crt_file: wildcard-2022.fedoraproject.org.cert
wildcard_int_file: wildcard-2022.fedoraproject.org.intermediate.cert
wildcard_key_file: wildcard-2022.fedoraproject.org.key
#
# say if we want the apache role dependency for mod_wsgi or not
# In some cases we want mod_wsgi and no apache (for python3 httpaio stuff)
#
wsgi_wants_apache: true
# set no x-forward header by default
x_forward: false
